Forensics On Video Conferencing Systems

Transcription

1 Forensics On Video Conferencing Systems University of Erlangen-Nuremberg January 28th, 2014

2 Agenda Part 1 Hacking VC Systems Attack surface Firmware analysis Device rooting Finding and exploiting bugs Part 2 Forensic Analysis Challenges Creating forensic copies Finding forensic evidence

3 Who am I? Moritz Jodeit Hamburg Principal Consultant at n.runs Application Security Reversing, bug hunting, writing exploits, Black Hat EU 2013 Talk Hacking Video Conferencing Systems

4 Motivation?

5 Hacking Videoconf Systems? yay! Neue NSA-Dokumente: US-Geheimdienst hörte Zentrale der Vereinten Nationen ab Demnach ist es der NSA im Sommer 2012 gelungen, in die interne Videokonferenzanlage der Völkergemeinschaft einzudringen und die Verschlüsselung zu knacken. Dies habe für "eine dramatische Verbesserung der Daten aus Video- Telekonferenzen und der Fähigkeit, diesen Datenverkehr zu entschlüsseln" gesorgt, heißt es in einem geheimen NSA-Dokument. "Der Datenverkehr liefert uns die internen Video-Telekonferenzen der Uno (yay!)". Innerhalb von knapp drei Wochen sei die Zahl der entschlüsselten Kommunikationen von 12 auf 458 angestiegen. In einem Fall habe die NSA zudem den chinesischen Geheimdienst dabei ertappt, ebenfalls zu spionieren. Daraufhin haben die NSA abgefangen, was zuvor die Chinesen abgehört hatten. Quelle:

6 Hacking Videoconf Systems? yay! Neue NSA-Dokumente: US-Geheimdienst hörte Zentrale der Vereinten Nationen ab Demnach ist es der NSA im Sommer 2012 gelungen, in die interne Videokonferenzanlage der Völkergemeinschaft einzudringen und die Verschlüsselung zu knacken. Dies habe für "eine dramatische Verbesserung der Daten aus Video-Telekonferenzen und der Fähigkeit, diesen Datenverkehr zu entschlüsseln" gesorgt, heißt es in einem geheimen NSA-Dokument. "Der Datenverkehr liefert uns die internen Video-Telekonferenzen der Uno (yay!)". Innerhalb von knapp drei Wochen sei die Zahl der entschlüsselten Kommunikationen von 12 auf 458 angestiegen. In einem Fall habe die NSA zudem den chinesischen Geheimdienst dabei ertappt, ebenfalls zu spionieren. Daraufhin haben die NSA abgefangen, was zuvor die Chinesen abgehört hatten. Quelle:

7 Hacking Videoconf Systems? yay! Neue NSA-Dokumente: US-Geheimdienst hörte Zentrale der Vereinten Nationen ab Demnach ist es der NSA im Sommer 2012 gelungen, in die interne Videokonferenzanlage der Völkergemeinschaft einzudringen und die Verschlüsselung zu knacken. Dies habe für "eine dramatische Verbesserung der Daten aus Video- Telekonferenzen und der Fähigkeit, diesen Datenverkehr zu entschlüsseln" gesorgt, heißt es in einem geheimen NSA-Dokument. "Der Datenverkehr liefert uns die internen Video-Telekonferenzen der Uno (yay!)". Innerhalb von knapp drei Wochen sei die Zahl der entschlüsselten Kommunikationen von 12 auf 458 angestiegen. In einem Fall habe die NSA zudem den chinesischen Geheimdienst dabei ertappt, ebenfalls zu spionieren. Daraufhin haben die NSA abgefangen, was zuvor die Chinesen abgehört hatten. Quelle:

8 Hacking Videoconf Systems? yay! Neue NSA-Dokumente: US-Geheimdienst hörte Zentrale der Vereinten Nationen ab Demnach ist es der NSA im Sommer 2012 gelungen, in die interne Videokonferenzanlage der Völkergemeinschaft einzudringen und die Verschlüsselung zu knacken. Dies habe für "eine dramatische Verbesserung der Daten aus Video- Telekonferenzen und der Fähigkeit, diesen Datenverkehr zu entschlüsseln" gesorgt, heißt es in einem geheimen NSA-Dokument. "Der Datenverkehr liefert uns die internen Video-Telekonferenzen der Uno (yay!)". Innerhalb von knapp drei Wochen sei die Zahl der entschlüsselten Kommunikationen von 12 auf 458 angestiegen. In einem Fall habe die NSA zudem den chinesischen Geheimdienst dabei ertappt, ebenfalls zu spionieren. Daraufhin haben die NSA abgefangen, was zuvor die Chinesen abgehört hatten. Quelle:

9 How it all started Compromising secured VC systems? Basic assumptions Current Firmware Hardened system configuration No administrative interfaces Only H.323 or SIP ports reachable Alternative: Only access via PSTN

10 Revenue Market Share Top Five Enterprise Videoconferencing and Telepresence Vendors Cisco (50.6%) Polycom (26.3%) Others (13.1%) Lifesize (5%) Teliris (2.6%) Vidyo (2.5%) Published by IDC for Q1 2012

11 Polycom One of the leading vendors Different telepresence solutions Most popular units cost up to $25,000 Polycom customers Government agencies / ministries worldwide World s 10 largest banks 6 largest insurance companies

12 Polycom HDX Systems Popular video conferencing solution Different configs (HDX ) HDX 7000 HD (our lab equipment) EagleEye HD camera Mica Microphone array Remote control Connected to ext. display

13 Attack Surface

14 Attack Surface

15 Attack Surface Polycom HDX Web Interface Provisioning Service API Interface (serial console, TCP port 24) Polycom Command Shell (TCP port 23) SNMP Video conferencing protocols H.323 and SIP

16 Attack Surface Polycom HDX Web Interface Provisioning Service API Interface (serial console, TCP port 24) Polycom Command Shell (TCP port 23) SNMP Video conferencing protocols H.323 and SIP

17 Firmware Analysis Software updates (support.polycom.com) ZIP archives contain single PUP file Manual installation or via provisioning Analysis based on version 3.0.5

18 PUP File Structure

19 PUP File Structure PUP file header Bootstrap archive Bootstrap code to install update Main functionality in setup.sh script Update package

20 PUP Header Figuring out the PUP header file format Found puputils.ppc in extracted firmware Polycom Update Utilities Used to verify and install updates Can be run inside Qemu (Debian on PPC)

21 PUP Header Every PUP file starts with fixed PUP file ID PPUP or PPDP Several fixed-size fields Padded with null bytes

22 Length (bytes) Description PUP Header 5 PUP File ID 4 Header Version 20 Header MAC Signature 32 Processor Type 32 Project Code Name 16 Software Version 16 Type of Software 32 Hardware Model 16 Build Number 32 Build Date 16 Build By 16 File Size (without header) 5 Compression algorithm 445 Supported Hardware 81 Signature (ASN.1 encoded)

23 Length (bytes) Description PUP Header 5 PUP File ID 4 Header Version 20 Header MAC Signature 32 Processor Type 32 Project Code Name 16 Software Version 16 Type of Software 32 Hardware Model 16 Build Number 32 Build Date 16 Build By 16 File Size (without header) 5 Compression algorithm 445 Supported Hardware 81 Signature (ASN.1 encoded)

24 Header HMAC Header HMAC value stored in PUP header Verification process 1. Set Header HMAC field to zero 2. Calculate HMAC over PUP header 3. Compare result with stored value 4. Abort update if result doesn t match

25 Header HMAC

26 Header HMAC Secret is required for verification Must be stored on the device Can be extracted :) Hardcoded in puputils.ppc binary

27 Header HMAC Secret is required for verification Must be stored on the device Can be extracted :) Hardcoded in puputils.ppc binary

28 Header HMAC Secret allows to calculate valid HMAC No reversing of HMAC algorithm required Correct HMAC is part of the error message!

29 Public Key DSA Signature 2nd protection to prevent file tampering Used in addition to the header HMAC Verifies integrity of the whole file Including the PUP header Signature is stored in PUP header ASN.1 encoded form No further analysis conducted

30 Device Rooting

31 Device Rooting No system level access to the device Reasons for getting root access Simplifies bug hunting More device control for fuzzing Process monitoring Restarting processes Makes exploit development a lot easier

32 Device Rooting Can be achieved in different ways Exploiting command injection Direct modification of CF card Undocumented Developer Boot Mode

33 HDX Boot Modes Production vs. Development boot mode Development mode enables telnet server Allows root login without password For details see my BH 2013 whitepaper

34 Device Rooting

35 System Architecture MPC8349EMITX SoC Freescale e300c1 PowerPC processor Linux-based system Kernel U-Boot boot loader Comes with standard binaries busybox, wget, gdbserver,

36 Main Processes AppMain Java Process GUI Web interface functionality User authentication + crypto functionality Polycom AVC H.323 SIP

37 Polycom AVC Implemented in /opt/polycom/bin/avc Huge non-stripped binary (~ 50 MB) Implemented in C Running as root E.g. implementation of H.323 and SIP and many other complicated protocols What could possibly go wrong? :)

38 Polycom AVC The place to look for bugs in VC protocols > 800 xrefs to strcpy() > 1400 xrefs to sprintf() No exploit mitigations at all Easy to reverse engineer due to symbols

39 Vulndev Environment Create debugging environment on device Eases bug hunting Simplifies exploit development process GDB remote debugging System already ships with a gdbserver binary Disabling Polycom watchdog daemon Create the watchdog_disable.dat config file

40 Bug Hunting We focused on the H.323 protocol Old and complex protocol Still in use at many locations nowadays Many different H.323 signaling protocols We looked at the H Q.931 protocol

41 H Q.931 Consists of binary encoded messages Messages consist of Information Elements (IE s) Encoded in ASN.1 Several different IE s are defined IE s provide information to remote site Callers identity, capabilities,

42 H Q.931

43 Call Initiation Client connects to TCP port 1720 Sends SETUP packet Indicates clients desire to start a call SETUP packet is parsed even if call fails E.g. call is not accepted by remote site Full call establishment requires more msgs But not relevant for this discussion

44 Call Detail Records HDX systems store call detail records (CDRs) Also written for failed calls Every SETUP packet generates a CDR entry CDR table stored in SQLite database Written records include Call start/end time Call direction Remote system name Extracted from Display IE

45 Format String Vulnerability SQL query string for writing CDR entry Passed as format str to the vsnprintf() function We control the embedded Display IE Bug triggered with single SETUP packet

46 Exploit Strategy 1. Turn bug into write4 primitive Write 4 arbitrary bytes at arbitrary address Single SETUP packet writes 4 bytes 2. Use write4 primitive to store shellcode 3. Use write4 to overwrite function ptr And let the code jump into stored shellcode 4. PROFIT!

47 Format String Stack Layout

48 Shellcode Simple PowerPC system() shellcode Provides a back-connect shell Executes our HDX payload HDX payload Controls the device s peripherals PTZ camera, microphone, display, etc. Based on Polycom s internal IPC mechanism (XCOM) For further details see my BH 2013 whitepaper

49 Function Pointer Constraints The function ptr has a few requirements We need to be able to trigger it remotely Restrictions on the format string Bytes in fmt str must be 0x00 < b < 0x80 Otherwise logging code is not hit Same restriction applies to address of function ptr

50 Finding Function Pointers Highlighted potential addresses in IDA Checked xrefs for use of PowerPC mtctr / bctrl instructions

51 Function Pointer Overwrite Timer thread running in VideoBitsStreamPoleTimerProc() Jumps to [CodecPoleList]+0x1494

52 Remote Root Exploit

53 Forensic Analyis

54 Forensic Analysis Challenges Requires deep understanding of system Documentation not publicly available Requires extensive research up front Every vendor uses their custom firmware But even for the same vendor Different firmware versions Different hardware releases

55 First Steps Disconnect the power supply! HDX systems log a lot of information Use of a pretty small ring buffer Evidence gets overwritten quickly Do not do a normal shutdow A lot information gets logged in that case!

56 Creating a Forensic Copy We can t work on the system directly Forensic copy of the internal memory Further analysis only conducted on image

57 Extracting Memory Cards HDX systems use CompactFlash cards Various HDX versions have different cases Different ways to get to the CF card HDX 8000 vs. HDX 9000 Extracting the CF card can be a bit tricky in some cases

58 Opening HDX Systems DISCLAIMER Having the right hardware tools might make the job easier :)

59 Polycom HDX 8000 One of the smaller HDX systems Can be opened quite easily If you know how to do it ;) Three screws need to be removed Side of the case can be slided to the front

60 Polycom HDX 8000

61 Polycom HDX 9000 One of the bigger HDX systems Case can be opened quite easily Getting access to the CF card is another story Just remove all screws on back and sides

62 Polycom HDX 9000

63 Polycom HDX 9000 CF card is hidden beneath several PCBs

64 Polycom HDX 9000 Accessing the CF card is tricky Removing all PCBs Would require a complete dismount Could easily damage something :( We didn t have the right tools We needed to improvise :P

65 Removing Internal Modem

66 Removing Internal Modem

67 Removing Internal Modem

68 Removing Power Connectors

69 Removing CF Card Screw Touching the screw holding the CF card with a single finger is now possible

70 Removing CF Card Screw Place one hand under covering PCB Touching screw with single finger is now possible But screw must be loosened first

71 Used Tools ;)

72 Removing CF Card Screw Extended nipper used to loosen screw Nipper can t be rotated enough Used magnetic stick to turn the screw This was really fiddly and required nerves! Probably lost some hair during this operation

73 Removing CF Card Screw

74 Removing CF Card Screw

75 Removing CF Card

76 Removing CF Card

77 File System Analysis

78 File System Analysis Analysis on created CF card image HDX systems have four partitions Partition Description Type Mounted /dev/hda1 Boot related files, Linux kernel image ext2 ro /dev/hda2 Root file system ext2 ro /dev/hda3 Log and configuration files ext3 rw /dev/hda4 Factory restore file system ext2 --

79 Log Files Stored in /var/log on /dev/hda3 Pretty extensive logging by default Good for the forensic analysis Bad, because logs get overwritten quickly

80 Things to look for Failed or successful login attempts Initiated video calls Typical Linux-based forensics stuff Crashed daemons reboots, etc.

81 Configuration Files Stored in /dat directory on /dev/hda3 Every setting stored in single.dat file Text-based files One or more lines of text

82 Interesting Config Files Version of current firmware Stored in systemsoftwareversion.dat Known vulnerabilities in old versions Hashes of previously set passwords historymeetingpassword.dat historyremotepassword.dat historyroomsw.dat

83 Password Hashes Stored to prevent password re-use Passwords stored as SHA1 hashes Unsalted of course :) Cracking the SHA1 hashes Identifies potentially weak passwords Might give you password set by an attacker Timestamps indicate time of PW change

84 Last Adminstrator Login Last admin login is recorded lastloginfromadmin.dat lastloginsuccessdatetimeadmin.dat Can be correlated with timestamps

85 Call Detail Records Stored as a SQLite database /data/polycom/cdr/new/localcdr.db Included information Start and end date/time Call duration Called number Call direction Used protocols, etc.

86 Polycom Command Shell Was affected by remote vulns in the past Check if PSH was enabled telnet_enabled.dat

87 Root File System Always mounted read-only Only mounted read-write for updates Check last-modified timestamps Match all files against original image

88 Use of Public Exploits Access times might identify use of specific public exploits Metasploit PSH Telnet Auth Bypass Module psh_auth_bypass.rb Exploits auth bypass + command injection Uses OpenSSL reverse connect payload

89 Use of Public Exploits cmd/unix/reverse_openssl Uses busybox and openssl binaries Binaries not regularly called in production

90 Factory Restore Filesystem Contains an old firmware version Current version at the time of shipping? Never modified or mounted in prod! Attackers might use it for persistency Match all files against (old) original image Unusual timestamps should make you suspicious

91 Conclusion Forensics on VC systems requires internal system knowledge Knowing how to break them helps No advanced attacks observed yet But they happen! (see NSA hack) Having the right hardware tools helps :P

92 Questions?

93 Thank You! Moritz Jodeit n.runs professionals GmbH Principal Security Consultant Nassauer Straße 60 D Oberursel mobile: phone: fax: it. consulting. infrastructure. security. business